AuditJS 4.0.46 import fails in DefectDojo 2.43.0 due to `id` containing CVE

[Haralishev77]

Summary

When importing a scan generated by auditjs (version 4.0.46) into DefectDojo (version 2.43.0), an Internal Server Error is raised if the vulnerability's id is a CVE (e.g., CVE-2024-44080).

Meanwhile, older examples bundled with DefectDojo that use UUIDs for id (e.g., fc92a5a0-...) work, but the UUID links are now broken on OSS Index.

---

How to Reproduce

1. Generate scan report:

npx auditjs ossi --json > scan_results/auditjs.json

2. Try to import via API:

curl -s -X POST "http://<defectdojo-host>/api/v2/import-scan/" \
  -H "accept: application/json" \
  -H "Authorization: Token <TOKEN>" \
  -F "scan_type=AuditJS Scan" \
  -F "file=@scan_results/auditjs.json" \
  -F "product_name=<product_name>" \
  -F "engagement_name=<engagement_name>" \
  -F "test_title=AuditJS Scan" \
  -F "verified=true" \
  -F "active=true" \
  -F "deduplication_on_engagement=true" \
  -F "auto_create_context=true"

---

Error in logs:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py", line 19, in create
    self.perform_create(serializer)
  File "/app/dojo/api_v2/views.py", line 2517, in perform_create
    serializer.save(push_to_jira=push_to_jira)
  File "/app/dojo/api_v2/serializers.py", line 2425, in save
    self.process_scan(data, context)
  File "/app/dojo/api_v2/serializers.py", line 2252, in process_scan
    context["test"], _, _, _, _, _, _ = importer.process_scan(
                                        ^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/default_importer.py", line 110, in process_scan
    new_findings = self.determine_process_method(self.parsed_findings, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 260, in determine_process_method
    return self.sync_process_findings(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 232, in sync_process_findings
    return self.process_findings(parsed_findings, sync=True, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/default_importer.py", line 170, in process_findings
    unsaved_finding = self.sanitize_severity(non_clean_unsaved_finding)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 558, in sanitize_severity
    starts_with_info = finding.severity.lower().startswith("info")
                       ^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'lower'

---

Investigation

• The CVE-formatted IDs appear to be causing a partial failure in sanitize_severity() during import.
• The root cause might be that the scan parser does not assign a valid severity, possibly due to CVE-formatted id being used as key.

---

Regression

• Example from DefectDojo's repo uses:

"id": "fc92a5a0-4117-4809-89d9-ccbef6c87faf",
"reference": "https://ossindex.sonatype.org/vulnerability/fc92a5a0-4117-4809-89d9-ccbef6c87faf?..."

• These links are now broken (OSS Index likely moved to CVE-based identifiers).

🟢 But scan import works with:

"id": "fc92a5a0-4117-4809-89d9-ccbef6c87faf"

🔴 And fails with:

"id": "CVE-2024-44080"

---

🟢 Correct link:

https://ossindex.sonatype.org/vulnerability/CVE-2024-44080?component-type=npm&component-name=%40jitsi%2Freact-native-sdk&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46

🔴 Broken link:

https://ossindex.sonatype.org/vulnerability/da5a3b11-c75b-48e7-9c28-1123f0a492bf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25

---

Environment

• DefectDojo: 2.43.0
• AuditJS: 4.0.46
• AuditJS: 4.0.25 (also produces CVE-based IDs with the same result)

---

✍️ Suggested Fixes

• Ensure parser handles CVE-formatted id the same as UUID.
• Gracefully handle missing or invalid severity.
• Consider adjusting example reports in the repo to reflect current OSS Index behavior.

---

JSON Examples

🟢 Accepted Example with UUID id:

[
  {
      "coordinates": "pkg:npm/connect@2.6.0",
      "description": "High performance middleware framework",
      "reference": "https://ossindex.sonatype.org/component/pkg:npm/connect@2.6.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25",
      "vulnerabilities": [
        {
          "id": "7df31426-09a2-4b5f-a0ab-acc699023c57",
          "title": "[CVE-2018-3717] connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...",
          "description": "connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.",
          "cvssScore": 5.4,
          "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cve": "CVE-2018-3717",
          "reference": "https://ossindex.sonatype.org/vulnerability/7df31426-09a2-4b5f-a0ab-acc699023c57?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25"
        }
      ]
  }
]

🟢 Also Accepted with CVE in id:

[
  {
      "coordinates": "pkg:npm/connect@2.6.0",
      "description": "High performance middleware framework",
      "reference": "https://ossindex.sonatype.org/component/pkg:npm/connect@2.6.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25",
      "vulnerabilities": [
        {
          "id": "CVE-2018-3717",
          "title": "[CVE-2018-3717] connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...",
          "description": "connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.",
          "cvssScore": 5.4,
          "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cve": "CVE-2018-3717",
          "reference": "https://ossindex.sonatype.org/vulnerability/7df31426-09a2-4b5f-a0ab-acc699023c57?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25"
        }
      ]
  }
]

🔴 Fails During Import (CVSS:4.0 vector):

[
  {
    "coordinates": "pkg:npm/%40jitsi/react-native-sdk@10.0.1",
    "reference": "https://ossindex.sonatype.org/component/pkg:npm/%40jitsi/react-native-sdk@10.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.46",
    "vulnerabilities": [
      {
        "id": "CVE-2024-44080",
        "title": "[CVE-2024-44080] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
        "description": "In Jitsi Meet before 2.0.9779, the functionality to share an image using giphy was implemented in an insecure way, resulting in clients loading GIFs from any arbitrary URL if a message from another participant contains a URL encoded in the expected format.",
        "cvssScore": 5.3,
        "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "cve": "CVE-2024-44080",
        "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2024-44080?component-type=npm&component-name=%40jitsi%2Freact-native-sdk&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46"
      }
    ]
  }
]

If there’s a recommended way to structure auditjs reports or known limitations around CVE-based IDs or CVSS 4.0 vectors, I’d greatly appreciate any guidance. I’m happy to help test or contribute a fix if needed.

[valentijnscholten]

Thank you for reporting @Haralishev77. I haven't looked at the auditjs parser yet, but in general CVSS4 vectors are not supported et in DefectDojo. It sounds like auditjs had some updates causing these changes in the report data/format.

I’m happy to help test or contribute a fix if needed.

A PR would be very welcome!

[Haralishev77]

Thank you for the response! I'll look into it when I have some time.

[Haralishev77]

Hi, @valentijnscholten!

The Python library for CVSS does not yet support CVSS4 vectors parsing.
I have created a PR (RedHatProductSecurity/cvss#75) to add CVSS4 parsing support to the library.

I think it's better to wait for the upstream library to merge support, instead of manually re-implementing CVSS4 parsing inside DefectDojo (or what's the best way to do it?).

I'll update this question as soon as PR is merged!

[valentijnscholten]

Thank you, that will be helpful once we add CVSS4 support to Defect Dojo. This might be more work than just updating a library. I suggest to raise a feature request with auditjs to allow users to choose cvss3 format as output for cvss vectors.

[Haralishev77]

Yes, I agree. It would be great to have such a feature in AuditJS.

Also, today I managed to successfully upload an AuditJS report with CVSS 4.0 vectors into DefectDojo using the changes I made to the cvss library.

So I’m ready to open a PR to add CVSS4 support for AuditJS parser to DefectDojo.
However, it would be in a "testing" mode for now, since the required changes in the cvss library have not been merged upstream yet (although the PR has already been approved).

[valentijnscholten]

I'm interested in what the PR for DD would look like. But to be able to merge it, we would need a stable release of that parsing library to happen first.

[Haralishev77]

I've opened a draft PR to add CVSS4 vector support to the AuditJS parser:
#12391